Posted on Leave a comment

Mozi Botnet Uses Web Traffic For Infecting Victims.

Microsoft Threat intel team has identified that the Mozi botnet is using BitTorrent like network for infecting IOT devices like network gateways and digital video records. Its not uncommon that the hackers are targeting these devices as it is providing a initial access towards the victims network.

The IT giant has also observed that the hackers are trying to intrude into the network via weak telnet passwords and by exploiting few IOT vulnerabilities and mostly targeted devices from manufacturers such as Netgear, Huawei and ZTE.

By infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities. In the diagram below we show just one example of how the vulnerabilities and newly discovered persistence techniques could be used together. Of course, there are many more possibilities.” reads the blog post.

Attack flow for Mozi botnet.
Source : Microsoft

During the analysis, it was observed that the hackers are also trying to exploit vulnerabilities such as  CVE-2015-1328,  CVE-2014-2321 once inside the box for additional file / folder access. one of the interesting feature of this malware is that it will try to block ports like 23,2323, 7547,3000,50023,58000 for achieving persistence in the machine.

Threat intel team has also observed that this specific Mozi has gone for the upgrade with DNS spoofing HTTP session hijack as a latest technique in its arsenal for redirecting victims to malicious sites.

Microsoft has added that the “Businesses and individuals that are using impacted network gateways (Netgear, Huawei, and ZTE) should take the following steps immediately to ensure they are resistant to the attacks described in this blog:

  1. Ensure all passwords used on the device are created using strong password best practices.
  2. Ensure devices are patched and up-to-date.

–-For more Cyber security write-ups in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply